Payment card industry compliance needs a boost

Graham Titterington |
Oct. 14, 2009

Although the payment card industry (PCI) DSS standard has been a mandatory requirement for merchants and other organisations handling payment card data for over four years, non-compliance is still rife.

Although the payment card industry (PCI) DSS standard has been a mandatory requirement for merchants and other organisations handling payment card data for over four years, non-compliance is still rife. The volume of payment card data breaches is increasing. We should not write off the standard as useless, for it appears that the situation would have been much worse without it. However, more needs to be done to enforce compliance, and the scope of the regulations should be more comprehensive.

Recent breaches show the shortcomings of the present situation

Globally 285 million payment card records were lost in 2008. 2009 started with news of the biggest breach yet, involving 100 million card records from Heartland Payment Systems. This follows the TJX breach in 2007 and the Card Systems breach in 2006. One disturbing aspect is that Heartland was, and is, certified as being PCI-compliant.

White Hat conducted a survey in the US with the Ponemon Institute and found that only about 50 per cent of companies were PCI-compliant. The global situation is undoubtedly much worse. It also found that companies that adopted a grudging tick-box mentality to compliance were significantly more likely to suffer a breach than those companies that entered into the spirit of the initiative and adopted a more comprehensive risk-reduction strategy. For example, good practice includes encrypting the cardholders personal information, and not just the card data. However, in a significant number of companies PCI has raised awareness of the issues and brought wider security improvements.

Payment handlers can use new technology or services

Data breaches are occurring as a result of insecure processing infrastructure at both the merchant and the payment processing levels in the business. The most serious cases involve hacking into the organisations database, and SQL injection attacks are particularly prevalent. Two ways to eliminate this category of vulnerability are by securely encrypting the data or by not storing the data! Two recent announcements illustrate these options.

Thales has launched its PayShield 9000 hardware security module (HSM) that encrypts and decrypts data in a secure processing unit, where it also stores encryption keys and PINs (if required). Thales equipment already handles about 50 per cent of the worlds HSM market relating to ATM and point of sale (POS) transactions, and the latest product offers significant performance, manageability and resilience advances over its predecessors.

Last month, First Data that announced it is working on its Secure Transaction Management Service, based on technology from RSA Security. First Data handled $1.4 trillion in payments in 2008. Its Secure Transaction Management Service will be a managed service in which card data is encrypted in the POS terminal and then sent to the First Data data centre for processing and storage. The merchant is given a token that is a receipt for the transaction but has no intrinsic value. This removes the obligations for PCI compliance from the merchant. This is likely to be an attractive approach for SMEs.